IETF Logo Mail Archive

Re: [ietf] DNS spoofing at captive portals

"Richard L. Barnes" <rbarnes@bbn.com> Fri, 24 September 2010 16:00 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 739013A6B00 for <ietf@core3.amsl.com>; Fri, 24 Sep 2010 09:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.258
X-Spam-Level:
X-Spam-Status: No, score=-102.258 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NdmpgF3g1GW for <ietf@core3.amsl.com>; Fri, 24 Sep 2010 09:00:19 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 1A4593A6B7B for <ietf@ietf.org>; Fri, 24 Sep 2010 09:00:19 -0700 (PDT)
Received: from ros-dhcp192-1-51-60.bbn.com ([192.1.51.60]:62942) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OzAhe-000I0j-QK; Fri, 24 Sep 2010 12:00:51 -0400
Message-Id: <E4B99AF3-13D0-4B99-9365-88E181C6A1C6@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: Alfred HÎnes <ah@TR-Sys.de>
In-Reply-To: <201009241238.OAA29283@TR-Sys.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v936)
Subject: Re: [ietf] DNS spoofing at captive portals
Date: Fri, 24 Sep 2010 12:00:49 -0400
References: <201009241238.OAA29283@TR-Sys.de>
X-Mailer: Apple Mail (2.936)
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:00:21 -0000

This document is probably relevant, although it goes the route of  
"providing guidelines for minimum breakage" rather than forbidding.
<http://tools.ietf.org/html/draft-livingood-dns-redirect-02>


On Sep 24, 2010, at 8:38 AM, Alfred HÎnes wrote:

> At Fri, 24 Sep 2010 07:21:21 -0400,  Michael Richardson wrote:
>
>> Has the IETF (or rather then IAB) written any simple documents that
>> explain to less informed (i.e. marketing/product) managers why it
>> is a bad thing for a captive portal to spoof DNS replies?
>> (not just in regard to DNSSEC, but also in regards to just caching)
>
> a) Most of the arguments explained in the 2003 IAB Commentary:
>   "Architectural Concerns on the use of DNS Wildcards",
>   <http://www.IAB.ORG/documents/docs/2003-09-20-dns-wildcards.html>,
>   apply in a similar fashion, but it indeed would be a good idea
>   to produce such document.  I think much text from 2003 could
>   be leveraged.
>
> b) It should be clearly spelled out that this practice falls among the
>   category of actions commonly known as man-in-the-middle attacks.
>
> c) draft-livingood-dns-redirect and draft-livingood-dns-malwareprotect
>   descibe these "services" in a much too friendly tone;
>   terms like "service" and "benefits for users" are clearly
>   abuse of language -- the above IAB statement already indicates
>   that similar interference with the DNS causes severe damage
>   to user perception and performance.
>   These drafts should clearly spell out the downside of these
>   methods and their fundamental nature, being MitM attacks.
>
> d) In my personal opinion, the original idea of having recursive
>   DNS resolvers located "close to the hosts" should be given more
>   traction again in the future.  All kinds of SOHO access gateways
>   or home gateways should preferably offer (locally) full recursive
>   and validating DNS resolution service.  The ISP-based DNS recursor
>   was (and perhaps still is) a good idea in low-bandwidth (dial-in)
>   access networks, where the (bandwidth and monetary) costs of full
>   DNS service actually matter and are detrimental for the users, but
>   it does not make sense any more for broadband access networks with
>   (almost) bandwidth-usage independent billing models (flat rates).
>
>   Thus the dependency on (both technically and policy-wise!) powerful
>   "central" caching resolvers could be reduced dramatically.
>   DNSSEC validation makes most sense for applications when performed
>   as close as possible to the stub resolver, if the latter cannot
>   perform this function itself; this way, the unprotected path
>   at least is constrained to within the users' sites and hence their
>   own "administrative domain".
>   Experience has shown that huge central resolver systems are very
>   attractive targets for external attacks as well as for insider
>   attacks (like ${subject}).
>
> Kind regards,
>  Alfred HÎnes.
>
> -- 
>
> +------------------------ 
> +--------------------------------------------+
> | TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.- 
> Phys.  |
> | Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax:  
> -18         |
> | D-71254  Ditzingen     |  E-Mail:  ah@TR- 
> Sys.de                     |
> +------------------------ 
> +--------------------------------------------+
>
> -
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email